Microsoft locks out VeraCrypt and WireGuard devs, blames verification process
- Reference: 1775743211
- News link: https://www.theregister.co.uk/2026/04/09/microsoft_dev_account_deactivations/
- Source link:
Mounir Idrassi and Jason Donenfeld, the developers behind VeraCrypt and WireGuard respectively, both recently reported that Microsoft locked them out of their developer accounts for reasons unknown to them.
Idrassi [1]publicized his experience on March 30, saying: "Microsoft did not send me any emails or prior warnings. I have received no explanation for the termination and their message indicates that no appeal is possible.
[2]
"I have tried to contact Microsoft through various channels but I have only received automated replies and bots. I was unable to reach a human."
[3]
[4]
Speaking to The Register this week, the developer said that he had still not heard anything from Microsoft.
The lockout affected the developer account associated with IDRIX, the company behind VeraCrypt, which also handles other projects beyond the encryption utility.
[5]
"I cannot sign the VeraCrypt driver or the VeraCrypt bootloader through the hardware dashboard," he said. "This also prevents me from signing drivers and components for my customers on different projects, so this situation impacts my work beyond VeraCrypt."
It was a similar story for Donenfeld, who also claimed Microsoft had not made him aware of why his account access was revoked.
"No warning at all, no notification," he wrote on [6]Hacker News . "One day, I sign in to publish an update, and yikes, account suspended."
[7]
He also expressed concerns about cybersecurity. If the WireGuard team became aware of a vulnerability affecting the VPN, he would have no way of signing an update to patch it.
"As somebody on Hacker News noted, if someone was a bad actor, right now would be a pretty good time to start exploiting [8]zero days in WireGuard. I mean, hopefully there aren't zero days in WireGuard. But if there were, Jiminy Cricket!"
Donenfeld told The Register that his saga began roughly two weeks ago, after spending weeks working on improvements to the WireGuard user application and its kernel driver, including rebuilding the latter's infrastructure to pass the Windows Hardware Lab Kit (WHLK) test suite, which he described as "a neat project," but "a massive pain."
He said: "With the WHLK package ready, I got a new super expensive EV code signing certificate – this Microsoft requirement is kind of a racket in its own right – and I was ready to login to the Partner Portal and submit my signed WHLK package and driver to Microsoft for automated inspection, which usually results in a Microsoft signature required for loading drivers into the kernel."
However, he was met with a message saying that his account had been deactivated.
[9]
Microsoft's message to WireGuard's Jason Donenfeld, informing of his account deactivation
"Microsoft never sent me any notification at all about this," Donenfeld added. "I've looked in every inbox in every spam folder in every mail log, and zero, nothing, zilch."
The appeals process directed Donenfeld to an AI support ticket tool, but this didn't allow him to select the workplace to which the appeal pertained because his account was deactivated.
This caused what he called a catch-22 scenario, where he needed to file the appeal to reinstate his account, but he also needed an account to file the appeal.
The workaround he eventually found was to file an appeal via the Azure team for something unrelated, and get them to redirect it to the right team.
"Finally this week, and after bugging some friends who work at Microsoft, and after emailing the authors of those blog posts, some news started to trickle out," Donenfeld said via email. "They received the appeal. It takes 60 days. No, no amount of pressure or vouching that I am, in fact, a real person with a real project (used by Microsoft themselves, apparently!) will speed it up. Sixty days. No exceptions.
"By the way, they didn't note what was required for the appeal in terms of documentation, so I just sort of guessed. So, after sixty days, they could just deny it, and I'd be screwed.
"It struck me as contrary to Microsoft's business interests, so I emailed [Microsoft's Standards of Business Conduct department]. But they didn't think it was important enough and referred me to the executive support team instead, who told me yesterday that the right people did, in fact, receive my appeal (I had no prior confirmation), but there was nothing to do to get it processed and no insight into when/how/etc. Totally opaque."
Microsoft responds
Pavan Davuluri, Microsoft's President of Windows and Devices, said both Idrassi and Donenfeld should have their accounts restored "soon."
"We've seen these reports and are actively working to resolve this as quickly as possible," Davuluri [10]Xeeted . "We've reached out to VeraCrypt and have spoken to Jason at WireGuard, they should be back up and running soon."
He explained that both deactivations were executed as part of the Windows Hardware Program's account verification procedures.
The company published a [11]blog in October, giving devs a two-week warning that if their accounts had not been verified since April 2024, Microsoft would issue mandatory account verification notifications.
"We worked hard to make sure partners understood this was coming, from emails, banners, reminders," said Davuluri.
"And we know that sometimes things still get missed. We're taking this as an opportunity to review how we communicate changes like this and make sure we're doing it better."
For anyone else looking for help with reinstating their accounts, it's [12]Copilot to the rescue. Davuluri pointed those in similar boats to a [13]support page outlining the steps they can take.
Since Davuluri's social media post, Donenfeld confirmed to The Register that his account was reinstated and he was able to get his kernel driver update out as of Thursday morning. ®
Get our [14]Tech Resources
[1] https://sourceforge.net/p/veracrypt/discussion/general/thread/9620d7a4b3/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2adfNIvsbtyRqCmA6iCXZSQAAAMs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adfNIvsbtyRqCmA6iCXZSQAAAMs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adfNIvsbtyRqCmA6iCXZSQAAAMs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adfNIvsbtyRqCmA6iCXZSQAAAMs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://news.ycombinator.com/item?id=47687884
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adfNIvsbtyRqCmA6iCXZSQAAAMs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/04/07/anthropic_all_your_zerodays_are_belong_to_us/
[9] https://regmedia.co.uk/2026/04/09/jason_donenfeld_microsft_message.jpg
[10] https://x.com/pavandavuluri/status/2042018254680682625
[11] https://techcommunity.microsoft.com/blog/hardware-dev-center/action-required-account-verification-for-windows-hardware-program-begins-october/4455452
[12] https://www.theregister.com/2026/04/02/copilot_terms_of_service/
[13] https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/technical-support
[14] https://whitepapers.theregister.com/
Re: Incompetence, malice
" The company published a blog in October, giving devs a two-week warning that if their accounts had not been verified since April 2024, Microsoft would issue mandatory account verification notifications.
"We worked hard to make sure partners understood this was coming, from emails, banners, reminders," said Davuluri. "
So it took 2 years for their accounts to be deactivated? Or 2 years for Micro$lop to get around to sending out notifications to these guys?
I'd say it's a little of column A, and a little of column B.
Re: Incompetence, malice
It's too easy to come up with conspiracy theories when there's so much noise for any given signal.
Yes, Anthropic have given the big hitters access to an super vulnerability-finding, exploit generating model and yes, open source encryption utilities behind full disk encryption and consumer VPN services are suddenly being prevented from pushing updates, and yes, this will predominantly affect those tin foil hatters that don't use bitlocker. Veracrypt can't sign its bootloader for the July 2026 bootloader signing changeover so yes, those people will have to install bitlocker to "stay safe", but that's just a coincidence.
Isn't it?
Something similar happened to an Apple developer a while ago. We hear of businesses described as too big to fail. Sometimes it seems they're too big to succeed.
MS "published a blog"???
Utter nonsense, you don't communicate potentially disruptive actions to your customer via a blog, nor do you block their accounts without at least a few days prior warning direct to their registered account contact email(s).
This is a rampant problem in the Microsoft partner program right now, impacting a lot of smaller VARs and MSPs. Accounts are being suspended without notice, with no reason cited, and nobody at Microsoft will talk to you. You get an AI generated form email, and that's it. They can't seem to do anything right these days.
For a minute there it seemed like a case similar to the Browsergate.
Computer Says NO
This kind of crap, where the only thing you can talk to when things go wrong is a bot, will hopefully be the undoing of companies who think this is OK.
The two individuals here are high profile enough to get written about when it happens to them. How many other voices are there out there crying into an impenetrable maze of bots and auto-responders and have nobody to speak for them? How would Microsoft even know about these people if one must have a working account to report a problem with the account?
Re: Computer Says NO
Around 2002 or so, prior to its' descent into insecurity and unusability, I had a Yahoo email account. My primary email worked fine with POP3 and IMAP, but had no web interface. Since many job sites blocked POP3 and/or IMAP, that meant no email until I returned home, so Yahoo was the email I could use from anywhere.
It also had a good (for the time) calendar and contacts manager, as well as an RSS reader, a briefcase (basically cloud storage), and some other useful features.
That was, until one day, I couldn't log in. I was logged in at my work site, but at home I couldn't log in. I got an incoherent error message that said I had to reset my password. So I went to change it, but that failed with a different incoherent message. So, I hit the password reset button, which failed with a third message. So, I read their help, which said to do all the things I'd already done, and then call their 1-800 number. The 1-800 was just a recorded message saying to go the forum. The forum told me to open a ticket. I opened a ticket, which was closed instantly with a canned response telling me to " use the password reset system ", which was the system I was reporting wasn't working.
At no point was I able to talk with a human being. The forums, which supposedly had Yahoo techs, just responded with boilerplate canned responses.
When I created the account, I linked it to other email accounts for recovery, but those were completely ignored. I was effectively locked out.
Fortunately, I was still logged in at work in a browser instance, so I wiped the account. I deleted all emails, calender entries, RSS, contacts, the works. I then set up an auto-reply saying this account was dead, and how to contact me at my other email.
Months later, I got a barrage of emails from Yahoo support at my recovery email address. A tech had discovered an issue with their password server that had locked out a "small number of users" and I was one of them. They'd fixed it a month ago, and while following up, they'd discovered I hadn't logged in in months. Why hadn't I opened a ticket? I had, in fact, but it had been closed instantly (within 10 minutes) with any apparent human interaction.
I checked, and yes, they'd restored the account, but I never used them again. I'm not going to trust my account to a system that provably was unable to recover from a system failure, and which had no meaningful escalation process. It was a secondary account for me, but for those to whom their Yahoo email was their primary, or only, email account, that would have been a devastating problem for them, and there was no way to address it.
I've had friends relate similar horror stories about Google, and Microsoft, and Apple, with unreachable and/or incompetent tech support, and the service having a single point of failure.
For a free service, you get what you pay for. Putting a mission critical service on a vendor that has no human CSR (customer service rep) process is foolish, almost suicidal.
Say what you will about IBM, and I've said a lot myself, but when a customer called up a CSR with a complaint like this, they got a human being to deal with it. They paid for that support, but they didn't have to worry about being ignored when their systems failed.
I vote Incompetence
It's not as if MS don't have lots of experience in that field. Despite what the MS drone said, I don't really believe that Jason would have missed emails warning of a change in process.
Reminds me of Microsoft Skydrive
As an early adopter of Microsft Skydrive, I was given 100GB of free storage when I signed up. It was a really neat way to use office apps and store files to share and collaborate on. One day, without any warning, I was locked out. Microsoft had rebranded it to One Drive, and everything was now gone. Thankfully I had it all backed up offline, but I was completely locked out and there were no humans to help. There was a cycle of useless automated help that went nowhere.
Mounir Idrassi and Jason Donenfeld are lucky to be 'celebrities' in the IT world who were able to get some attention and they have contacts at Microsoft. But if you're just a small time reg reader like Rory B Bellows, there isn't much you can do.
Incompetence, malice
The cynic in me:
Someone high up in the food chain wanted to be sure that they could keep exploiting issues they discovered and never published. All these automatic updates ruin their ability to read all those private communications and files. That is a Bad Thing TM and it must stop! Microsoft responded kindly by locking out the developers.
Or copilot flagged the projects because they were encrypted. You decide, incompetence or malice?